This post shows you how to confirm current SElinux status before you decide to disable SELinux.
SElinux Enforcing vs Permissive
The most burning question usually is: does my RedHat/CentOS Linux enforce SELinux (and prevent some of my applications from running out of the box) or is it in the permissive state (which means it logs security concerns but doesn't block anything from running).
Answering this is very easy with the help of the getenforce command:
[[email protected] ~]$ getenforce Enforcing
SElinux status with sestatus
[[email protected] ~]$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux.png SELinux root directory: /etc/selinux.png Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31
How to read the sestatus output
Although the output of sestatus is fairly standard, you'll appreciate how useful it is once you start making changes to your SELinux policies.
- Loaded policy name is useful because you can make SELinux load a strict policy as well, and it's important to understand which one is currently in use.
- Current mode: will confirm if SELinux is running in enforcing or permissive mode.
- Policy MLS status: must research more! I know MLS is Multi Level Security, but need to understand why it's separate option here.
- Memory protection checking – must come back to this as I'm not finding enough information. This is a flag confirming that SElinux still protects certain memory access syscalls in your Linux.